Introduction
Black Hunt ransomware has been active since at least mid-2021 and operates under a double-extortion model, encrypting victim files and threatening public release of stolen data via a Tor-based leak site. It primarily targets organizations rather than individuals, with confirmed attacks in sectors including manufacturing, retail, technology, and local government. Encrypted files are appended with the .BlackHunt extension, and ransom notes (Restore_Data.txt) direct victims to Tor portals for negotiation. The ransomware is capable of terminating processes, deleting shadow copies, and disabling recovery functions to maximize impact. Initial access methods include exploitation of vulnerable RDP services and the use of compromised credentials from initial access brokers. While its activity level is smaller compared to major RaaS families, its leak site has featured victims from multiple countries, suggesting an international reach.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.